[Mailman-Developers] bug report submitted: admin password is
checked when it should not
Heiko.Scheit at mpi-hd.mpg.de
Heiko.Scheit at mpi-hd.mpg.de
Mon Feb 16 05:33:33 EST 2004
For your information: I just submitted the bug report below on
the SF mailman page.
Greetings, Heiko.
admin password is checked when it should
-----------------------------------------
To see the problem you have to be the administrator of a
list. Go to the members options login page
.../mailman/options/<listname>
and enter something like a valid email address, e.g.:
xxx at xxx.xxx
and as password enter the ADMIN password! You will get
something like:
Bug in Mailman version 2.1.4
We're sorry, we hit a bug!
The problem seems to be that the password entered in the
members options login page is also checked against the
admin password, which should not be done. It should only
be checked if the admin-cookie is set, so that the admin
(who logged on via the admin page) can also modify user
settings.
What is worse: if you enter a valid email address (of a
list member) and the admin password you are the admin.
So, any list member that happens to choose the same
password as the admin has full access to the
administrative interface.
Somehow I think it would be better to also have an admin
username and not just an admin password. Or, for each
member an admin flag can be set. The admin has to be a
member and can login with email and password as anybody
else.
------------------------------------------------------------------------
Heiko Scheit | http://www.mpi-hd.mpg.de/cb
Max-Planck-Institut f"ur Kernphysik |
Saupfercheckweg 1 | heiko.scheit at mpi-hd.mpg.de
69117 Heidelberg | TEL ++49 6221 516 529
GERMANY | FAX ++49 6221 516 602
More information about the Mailman-Developers
mailing list